Credit/Debit Card Merchant Requirements

University at Buffalo (UB, university) departments may accept credit/debit cards as an appropriate form of payment for goods, services, and donations. As a credit/debit card merchant, university departments must:

• Obtain approval from the appropriate business office (Financial Management, University at Buffalo Foundation (UBF), or Campus Dining and Shops (CDS) depending on the funding source) prior to entering into any contracts or purchasing software and/or equipment to process credit/debit card payments
• Provide Financial Management with a payment card industry (PCI) compliance certificate from the vendor
• Complete the Credit Card Merchant Request form to accept credit/debit card payments using a point of sale terminal
• Obtain approval from the Information Security Office for all technology implementations, including payment gateways
• Establish departmental procedures in accordance with the most current version of the Payment Card Industry Data Security Standard (PCI DSS) for safeguarding cardholder information and secure storage of data at all times and in all formats
• Annually complete the PCI DSS Self-Assessment Questionnaire distributed by Financial Management to demonstrate the department’s ability to maintain compliance with the PCI DSS.

Departments may accept credit/debit card payments in electronic format or via point of sale terminals to be processed by Financial Management. Financial Management will determine the most appropriate method to accept payment based on customer service, convenience, cost (dollars and time), volume of expected activity, and impact on revenue distribution.

Credit/debit card data is classified as regulated private data. Credit/debit card merchants are responsible for safeguarding the confidentiality of regulated private data in accordance with the following university policies:

• Password Protection
• Protection of Regulated Private Data.

The safeguarding and storage of cardholder information is subject to:

• Periodic reviews conducted by the appropriate business office
• Audit by Internal Audit
• Periodic assessment and vulnerability scans conducted by the Information Security Office to assess security controls.

Departments not complying with approved safeguarding, storage, and processing procedures may lose the privilege to serve as a credit/debit card merchant. Penalties for non-compliance include significant fines and withdrawal of payment card services by the payment card industry.

The university recognizes that accepting credit/debit cards as payment for goods, services, and donations improves customer service, brings efficiency to the cash collection process, and is essential when business is conducted electronically.  

The Payment Card Industry (including American Express, Discover, Master Card, VISA, and other major card issuers) has established important and stringent security requirements to protect credit/debit card data. These requirements are called the Payment Card Industry Data Security Standard (PCI DSS). The PCI DSS provides a single approach to safeguarding credit/debit card data for all card brands and details the security requirements for transmitting, storing, accessing, and processing cardholder data. Compliance is the responsibility of the entire institution with duties and accountability assigned at every level of the payment process.

This policy applies to any official or administrator with responsibilities for managing university credit/debit card transactions and those employees entrusted with handling credit/debit cards and credit/debit card information.

Cardholder Data

Any personally identifiable data associated with a cardholder including but not limited to account number, expiration date, name, address, social security number, and card validation code (three or four-digit value printed on the front or back of a credit/debit card).

Credit/Debit Card Merchant

A unit that accepts credit/debit card payments.

Payment Card Industry Data Security Standard (PCI DSS)

A set of comprehensive requirements for enhancing payment account data security. The PCI DSS was developed by the founding payment brands of the PCI Security Standards Council including American Express, Discover Financial Services, MasterCard Worldwide, and VISA International to facilitate the broad adoption of consistent data security measures on a global basis.  

The PCI DSS is a multi-faceted security standard that includes requirements for security management, policies, procedures, network architecture, software design, and other critical protective measures. This comprehensive standard is intended to help organizations proactively protect customer account data and offers a single approach to safeguarding sensitive data for all card brands.

Regulated Private Data

Includes bank credit/debit card numbers with or without PINs, social security numbers, state-issued driver license numbers, state-issued non-driver identification numbers, protected health information, passwords, and computer access protection information.

Revenue Distribution

Process used to prioritize the allocation of revenue to departments based on the type of fee collected through the student account billing system.

• Consult with the appropriate business office to determine whether accepting credit/debit card payments provides benefits that justify the additional cost.
  
  • Benefits include assured payment, automation of payment collection, and customer service convenience. Costs include fees associated with accepting credit/debit cards and the time and effort required to comply with credit/debit card regulations.
• Consult with Financial Management when it is necessary to accept credit/debit cards on a one-time basis.
  
• Complete and submit the Credit Card Merchant Request form to the appropriate business office (Financial Management, UBF, or CDS depending on the funding source) to establish a credit/debit card merchant account.
• Provide Financial Management with a PCI Compliance certificate from the vendor.
• Review and comply with the following university policies:
  • Password Protection Policy
  • Protection of Regulated Private Data.
• Review and comply with the most current version of the Payment Card Industry Data Security Standard (PCI DSS).
• Annually, complete the PCI DSS Self-Assessment Questionnaire distributed by Financial Management.
• Notify the Information Security Office prior to implementation of any technology changes affecting transaction processing associated with the credit/debit card merchant account.
• Annually, ensure that the appropriate staff complete the UB PCI Tutorial distributed by Financial Management.

• Annually complete the UB PCI Tutorial distributed by Financial Management.
• Review and comply with the following university policies:
  • Password Protection Policy
  • Protection of Regulated Private Data.
• Review and comply with the most current version of the Payment Card Industry Data Security Standard (PCI DSS).

• Consult with departments regarding the options for the most appropriate method to accept credit/debit card payments.
• Review and approve the establishment of credit/debit card merchants.
• Provide the appropriate equipment and training to approved credit/debit card merchants.
  
• Administer the process of obtaining new merchant numbers.  
• Conduct periodic reviews of existing merchants regarding safeguarding and storage of cardholder information.  
• Provide periodic training on the secure storage and disposal of all non-eCommerce credit/debit card paper transaction records in conjunction with cash handling training.

• Annually, distribute the UB PCI Tutorial and the PCI DSS Self-Assessment Questionnaire to all departments (regardless of funding source) who accept payment via credit/debit cards.
• Monitor to ensure that all departments (regardless of funding source) complete the PCI DSS Self-Assessment Questionnaire.
• Contract with an authorized vendor to complete a quarterly scan for all departments (regardless of funding source) that electronically accept credit/debit card payments.
• Update the security scan vendor website with PCI DSS Self-Assessment Questionnaire answers as required by the merchant bank.

• Review and approve implementation of payment gateways and technology changes associated with credit/debit card transaction processing.  
• Conduct periodic reviews for compliance with the PCI DSS.